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NETWORK ADMINISTRATION 

APPARATUS, NETWORK 
ADMINISTRATING PROGRAM, 
NETWORK ADMINISTRATING 
METHOD AND COMPUTER 
NETWORK SYSTEM 

Cross Reference to Related Applications 

L; ; This patent application claims priority based on a Japanese patent application, 2001 -1 1 1 109 
" filed on April 1 0, 2001 , the contents of which are incorporated herein by reference. 

Background of Invention 
^ Field of the Invention 

|30001] The present invention relates to a network administration apparatus, a network 

administrating program, a network administrating method and a computer network system. 
More particularly, the present invention relates to a MAC (Media Access Control) address-based 
VLAN (Virtual Local Area Network) that can be configured based upon selected identifying 
information from a network device, which allows efficient VLAN settings with high security. 

Description of the Related Art 

[0002] 

A network administration apparatus or an interconnecting device that configures a MAC 
address-based VLAN includes a database in which a MAC address of a network device and a 
VLAN group to which the network device belongs are stored in such a manner that the MAC 
address and the VLAN group correspond to each other. When receiving a MAC address in a 
packet from a certain network device, the network administration apparatus or interconnecting 
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device recognizes the VLAN group of the network device based on the received MAC address, 
and assigns the registered VLAN group to the network device. 

[0003] In a computer network system forming a conventional type MAC address-based VLAN, 

however, a network administrator has to update the database in which the MAC address and the 
corresponding VLAN group are stored when a VLAN group is newly created, the VLAN group of 
a certain network device is changed, or a new network device is connected to the network, for 
example. 

Summary of Invention 

[0004] Therefore, it is an object of the present invention to provide a network administration 
apparatus, a network administrating program, a network administrating method and a 

y computer network system, which are capable of overcoming the above drawbacks 

accompanying the conventional art. The above and other objects can be achieved by 

Q combinations described in the independent claims. The dependent claims define further 

U advantageous and exemplary combinations of the present invention. 

tWOS] According to the first aspect of the present invention, a network administration apparatus 
til for administrating a network device that performs communication in a network, comprising: a 
^ VLAN information database operable to store one or more VLAN groups to which one or more 
dl network devices connected to the network are to belong, and one or more units of device 
^ identifying information respectively specifying the one or more network devices, each of the 
one or more VLAN groups corresponding to at least one unit of device identifying information; 
a receiving unit operable to receive device identifying information of a network device 
therefrom; a database updating unit operable to store the received device identifying 
information to correspond to a VLAN group to which the network device having the received 
device identifying information is to belong in the VLAN information database; and a setting unit 
operable to assign the VLAN group stored in the VLAN information database that corresponds 
to the received device identifying information to the network device having the received device 
identifying information. 

[0006] The device identifying information may be a MAC address of the network device, 

[0007] The VLAN information database may further store user identifying information, specifying a 
user of the network device, to correspond to the VLAN group of the network device, the 
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receiving unit may further receive the user identifying information from the network device, and 
the database updating unit may store the device identifying information in the VLAN 
information database to correspond to the user identifying information and the VLAN group, in 
a case where the VLAN information database has already stored the user identifying information 
received by the receiving unit. 

[0008] The receiving unit may receive the device identifying information of the network device, 
which belongs to a default VLAN group in the VLAN information database, from the network 
device, and the setting unit may assign, in a case where the device identifying information 
received by the receiving unit is included in the one or more units of device identifying 
information stored in the VLAN information database, the VLAN group corresponding to the 
received device identifying information to the network device of the default VLAN group, 

f|0093 The VLAN information database may further store one or more units of user identifying 
^ information respectively specifying users of the one or more network devices in such a manner 
f|| that each unit of user identifying information corresponds to one of the one or more VLAN 
L groups, the receiving unit may further receive, in a case where the received device identifying 
H information is not stored in the VLAN information database, user identifying information from 

P the network device of the default VLAN group, the database updating unit may store the device 
^ identifying information of the network device received by the receiving unit to correspond to 

the user identifying information and the VLAN group thereof in a case where the user 
2 identifying information received by the receiving unit is stored in the VLAN information 

database, and the setting unit may assign the VLAN group in the VLAN information database, 

that corresponds to the received device identifying information, to the network device of the 

default VLAN group. 

[001 0] The network administration apparatus may further comprise a detecting unit operable to 
detect a new network device that has been newly connected to the network or turned on, and 
the receiving unit may receive device identifying information of the new network device 
detected by the detecting unit from the new network device. 

1001 1] The detecting unit may further detect one of the one or more network devices that has been 
removed from the network or turned off, the detected network device having corresponding 
device identifying information stored in the VLAN information database, and the database 
updating unit may delete the corresponding device identifying information from the VLAN 
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information database for the detected network device. 



[001 2] The database updating unit may delete the corresponding device identifying information of 
the network device detected by the detecting unit from the VLAN information database when a 
predetermined time period has passed after detection that the network device has been 
removed from the network or turned off. 

[001 3] The setting unit may assign a default VLAN group to a connection port of an 

interconnecting device corresponding to the network device detected by the detecting unit. 

[001 4] The network administration apparatus may belong to the default VLAN group, and the 
receiving unit may receive device identifying information of a network device of the default 
VLAN group therefrom by being connected to the connection port to which the default VLAN 

O group is assigned, 

Upl 5] According to the second aspect of the present invention, a network administrating program 
III for administrating a network device that performs communication in a network, comprising: a 
ju storing module operable to store one or more VLAN groups to which one or more network 
H devices connected to the network are to belong, and one or more units of device identifying 

q information respectively specifying the one or more network devices, each of the one or more 
Jj VLAN groups corresponding to at least one unit of device identifying information; a receiving 
:: |:: module operable to receive device identifying information of a network device therefrom; a 
g database-updating module operable to store the received device identifying information to 

correspond to a VLAN group to which the network device having the received device identifying 
information is to belong; and a setting module operable to assign the VLAN group that 
corresponds to the received device identifying information, to the network device having the 
received device identifying information. 

[00 16] The storing module may further store user identifying information, specifying a user of the 
network device, to correspond to the VLAN group of the network device, the receiving module 
may further receive the user identifying information from the network device, and the 
database-updating module may store the device identifying information to correspond to the 
user identifying information and the VLAN group, in a case where the storing module has 
already stored the user identifying information received by the receiving module. 

[001 7] The rece i V j n g module may receive the device identifying information of the network device, 
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which belongs to a default VLAN group different from said one or more VLAN groups in said 
VLAN information database, from the network device, and the setting module may assign, in a 
case where the device identifying information received by the receiving module is included in 
the one or more units of device identifying information stored by the storing module, one of 
the one or more VLAN groups that corresponds to the received device identifying information to 
the network device of the default VLAN group. 

[001 8] The storing module may further store one or more units of user identifying information 
respectively specifying users of the one or more network devices in such a manner that each 
unit of user identifying information corresponds to one of the one or more VLAN groups, the 
receiving module may further receive, in a case where the received device identifying 
information is not stored by the storing module, the user identifying information of the network 
D device of the default VLAN group, the database-updating module may store the device 

Jif identifying information of the network device received by the receiving module to correspond to 

the user identifying information and the VLAN group thereof in a case where the user 
jl identifying information received by the receiving module is stored by the storing module, and 
^ the setting module may assign the VLAN group that corresponds to the received device 
gg identifying information to the network device of the default VLAN group. 

tfj 01 9 ^ The network administrating program may further comprise a detecting module operable to 
;; p detect a new network device that has been newly connected to the network or turned on, and 
tl the receivin 9 module may receive device identifying information of the new network device 
detected by the detecting module from the new network device. 

[0020] The detecting module may further detect one of the one or more network devices that has 
been removed from the network or turned off, the detected network device having 
corresponding device identifying information, and the database-updating module may delete 
the corresponding device identifying information for the detected network device. 

[0021] The database-updating module may delete the corresponding device identifying 

information of the network device detected by the detecting module, when a predetermined 
time period has passed after detection that the network device has been removed from the 
network or turned off. 

[0022] 

The setting module may assign a default VLAN group to a connection port of an 
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interconnecting device corresponding to the network device detected by the detecting module. 

[0023] The receiving module may receive device identifying information of a network device of the 
default VLAN group therefrom by being connected to the connection port to which the default 
VLAN group is assigned, 

[0024] According to the third aspect of the present invention, a network administrating method for 
use in a network administration apparatus operable to administrate a network device that 
performs communication in a network, the network administration apparatus comprising a 
VLAN information database for storing one or more VLAN groups to which one or more network 
devices connected to the network are to belong, and one or more units of device identifying 
information respectively specifying the one or more network devices, each of the one or more 
VLAN groups corresponding to at least one unit of device identifying information, the method 
S comprising: receiving device identifying information of a network device therefrom; storing 

'fl received device identifying information to correspond to a VLAN group to which the network 

f|| device having the received device identifying information is to belong; and assigning the VLAN 
tl group that corresponds to the received device identifying information to the network device 
H having the received device identifying information. 

(6|)25] The network administrating method may further comprise storing user identifying 
I'll information, specifying a user of the network device, to correspond to the VLAN group of the 

Q network device, and storing the received device identifying information to correspond to the 
H stored user identifying information and the VLAN group. 

[0026] The network administrating method may further comprise receiving device identifying 

information of the network device, which belongs to a default VLAN group, and in a case where 
the received device identifying information is included in the stored device identifying 
information, assigning one of the one or more VLAN groups that corresponds to the received 
device identifying information to the network device of the default VLAN group. 

[0027] 

The network administrating method may further comprise storing one or more units of user 
identifying information respectively specifying users of the one or more network devices in 
such a manner that each unit of user identifying information corresponds to one of the one or 
more VWN groups, in a case where the received device identifying information is not included 
in the stored device identifying information, storing the device identifying information of the 
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network device of the default VLAN group to correspond to the stored user identifying 
information and the VLAN group thereof, and assigning the VLAN group that corresponds to 
the device identifying information of the network device of the default VLAN group to the 
network device. 

[0028] The network administrating method may further comprise detecting a new network device 
that has been newly connected to the network or turned on, and receiving detected device 
identifying information of the new network device. 

[0029] The network administrating method may further comprise detecting one of the one or more 
network devices that has been removed from the network or turned off, and deleting 
corresponding device identifying information for the detected network device. 

I§ 03 °J The device identifying information of the network device may be deleted when a 
JK predetermined time period has passed after detection that the network device has been 
81 removed from the network or turned off. 

J0O31] The network administrating method may further comprise assigning a default VLAN group 
%j to a connection port of an interconnecting device corresponding to the detected network 
'L, device. 

ftp32] The device identifying information of a network device of the default VLAN group may be 
C! received therefrom by connecting to the connection port to which the default VLAN group is 

H assigned. 

[0033] According to the fourth aspect of the present invention, a computer network system 

comprising a network device operable to perform communication in a network, and a network 
administration apparatus operable to administrate the network device, wherein the network 
administration apparatus comprises: a VLAN information database operable to store one or 
more VLAN groups to which one or more network devices connected to the network are to 
belong, and one or more units of device identifying information respectively specifying the one 
or more network devices, each of the one or more VLAN groups corresponding to at least one 
unit of device identifying information; a receiving unit operable to receive, from the network 
device, device identifying information thereof; a database updating unit operable to store the 
received device identifying information to correspond to a VLAN group to which the network 
device having the received device identifying information is to belong; and a setting unit 
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operable to assign the VLAN group that corresponds to the received device identifying 
information to the network device having the received device identifying information. 

[0034] The VLAN information database may further store user identifying information, specifying a 
user of the network device, to correspond to the VLAN group of the network device, the 
receiving unit may further receive the user identifying information from the network device, and 
the database updating unit may store the device identifying information in the VLAN 
information database to correspond to the user identifying information and the VLAN group in 
a case where the VLAN information database has already stored the user identifying information 
received by the receiving unit. 

[0035] The receiving unit may receive the device identifying information of the network device, 
which belongs to a default VLAN group, from the network device, and the setting unit may 

,^ assign, in a case where the device identifying information received by the receiving unit is 

included in the one or more units of device identifying information stored in the VLAN 

f|J information database, one of the one or more VLAN groups that corresponds to the received 

H device identifying information to the network device of the default VLAN group. 

[0036] The VLAN information database may further store one or more units of user identifying 
Jl information respectively specifying users of the one or more network devices in such a manner 
111 that each unit of user identifying information corresponds to one of the one or more VLAN 
O groups, the receiving unit may further receive, in a case where the received device identifying 
H information is not stored in the VLAN information database, the user identifying information of 
the network device of the default VLAN group, the database updating unit may store the device 
identifying information of the network device received by the receiving unit to correspond to 
the user identifying information and the VLAN group thereof in a case where the user 
identifying information received by the receiving unit is stored in the VLAN information 
database, and the setting unit may assign the VLAN group that corresponds to the device 
identifying information of the network device of the default VLAN group, to the network device. 

[0037] The network administration apparatus may further comprise a detecting unit operable to 
detect a new network device that has been newly connected to the network or turned on, and 
the receiving unit may receive device identifying information of the new network device 
detected by the detecting unit from the new network device. 
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[0038] The detecting unit may further detect one of the one or more network devices that has been 
removed from the network or turned off, the detected network device having corresponding 
device identifying information stored in the VLAN information database, and the database 
updating unit may delete the corresponding device identifying information from the VLAN 
information database for the detected network device. 

[0039] The database updating unit may delete the corresponding device identifying information of 
the network device detected by the detecting unit from the VLAN information database when a 
predetermined time period has passed after detection that the network device has been 
removed from the network or turned off. 

[0040] The computer network system may further comprise an interconnecting device operable to 
connect the network administration apparatus and the network device. In this case, the setting 
.J unit may assign a default VLAN group, to a connection port of the interconnecting device 
yj corresponding to the network device detected by the detecting unit. 

|ap41] The network administration apparatus may belong to the default VLAN group, and the 
^ receiving unit may receive device identifying information of a network device of the default 

VLAN group therefrom by being connected to the connection port to which the default VLAN 
J-f group is assigned. 

tfP 42 ] The summary of the invention does not necessarily describe all necessary features of the 
present invention. The present invention may also be a sub-combination of the features 
described above. The above and other features and advantages of the present invention will 
become more apparent from the following description of the embodiments taken in conjunction 
with the accompanying drawings. 

Brief Description of Drawings 

[0043] Fig. 1 shows an exemplary structure of a computer network system according to an 
embodiment of the present invention, 

[0044] Fig. 2 shows an exemplary structure of a network administration apparatus according to the 
embodiment of the present invention. 

[0045] Fig. 3 shows an exemplary data format of a VLAN information file stored in a VLAN 
information database. 
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[0046] Fig, 4 is a flowchart of a procedure for setting a VLAN group by the network administration 
apparatus according to the embodiment of the present invention. 

[0047] Fig. 5 is a flowchart of a procedure for setting a default VLAN group by the network 
administration apparatus according to the embodiment of the present invention. 

[0048] Fig. 6 shows a hardware configuration of the network administration apparatus 1 0 
according to the embodiment of the present invention. 

Detailed Description 

[0049] The invention will now be described based on the preferred embodiments, which do not 
intend to limit the scope of the present invention, but exemplify the invention. All of the 
features and the combinations thereof described in the embodiment are not necessarily 

^ essential to the invention. 

ffipSO] Fig. 1 illustrates a structure of a computer network system according to an embodiment of 
I" the P res e n * invention. The computer network system of the present embodiment includes 
H network devices 14a, 14b, 14c and 14d each of which performs communication through a 

3 " network, a network administration apparatus 1 0 that administrates the network devices 1 4a, 
i,i 1 4b, 1 4c and 1 4d, and interconnecting devices 1 2a, 1 2b and 1 2c that connect the network 

HI devices 14a, 14b, 14c and 14d to the network administration apparatus 10. 

f&Q5 1 ] The network administration apparatus 1 0 receives from each of the network devices 1 4a, 
1 4b, 1 4c and 1 4d a MAC address thereof. The MAC address is an example of device identifying 
information that specifies the network device. The network administration apparatus 1 0 sets 
VLAN groups of the respective network devices 14a, 14b, 14c and 14d based on the received 
MAC addresses. More specifically, the network administration apparatus 1 0 assigns the VLAN 
group for the network devices 1 4a, 1 4b, 1 4c and 1 4d and the corresponding connection ports 
1 6c, 16d, 16e and 16f of the interconnecting devices 12b and 12c, thereby enabling the 
network devices 14a, 14b, 14c and 14d to perform communications in the respective VLANs. 

[0052] 

The interconnecting devices 1 2b and 1 2c may be wireless interconnecting devices that can 
perform wireless communications with the network devices 14a, 14b, 14c and 14d. In the 
computer network system including the wireless interconnecting devices, even if a location of 
the network device is changed, it is possible for the network device to perform wireless 

Page 10 of 35 



communication in the VLAN group to which the network device belongs by forming the MAC 
address-based VLAN, without changing the setting of the network device. 

[0053] The network administration apparatus 1 0 receives, from each of the interconnecting devices 
12b and 12c, the MAC address thereof, and sets the VLAN groups of the interconnecting 
devices 12b and 12c based on the received MAC addresses. In this case, the network 
administration apparatus 1 0 enables the interconnecting devices 1 2b and 1 2c to perform 
communications in the respective VLANs by assigning the VLAN group, to which the 
interconnecting devices 1 2b and 1 2c are to belong, to the connection ports 1 6a and 1 6b of the 
interconnecting device 1 2a to which the interconnecting devices 1 2b and 1 2c are respectively 
connected. 

[0054] The network administration apparatus 1 0 may enable the interconnecting device 1 2b to 
% perform communications in a plurality of VLANs by setting the connection port 1 6a of the 

yl interconnecting device 1 2a to a plurality of VLAN groups. For example, the network 

CI 

administration apparatus 1 0 enables the network devices 1 4a and 1 4b connected to the 
^ interconnecting device 1 2b to perform communications in VLAN 1 or 2 by setting the 
%| connection port 1 6a of the interconnecting device 1 2a to the VLAN 1 or 2. 

P355] The computer network system of the present embodiment may add a tag for specifying a 
111 VLAN to an Ethernet frame. In other words, the MAC address-based VLAN of the present 
iq embodiment may be combined with a tagging VLAN, in which the VLAN is divided based on 
U information of the tag, or a multiple VLAN, in which a given connection port is made to belong 
to a plurality of VLAN groups. 

[0056] Moreover, the network administration apparatus 1 0 may assign the VLAN groups of the 
interconnecting devices 1 2b and 1 2c to the connection ports 1 6a and 1 6b of the 
interconnecting device 1 2a by using a port-based VLAN, while setting the VLAN groups of the 
network devices 14a and 14b in the interconnecting device 12b and the VLAN groups of the 
network devices 14c and 14d in the interconnecting device 12c by using the MAC address- 
based VLAN. 

[0057] According to the computer network system of the present embodiment, a more flexible 
network can be configured by using a combination of the port-based VLAN and the MAC 
address-based VLAN of the present embodiment. 
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[0058] Fig. 2 illustrates a structure of the network administration apparatus 1 0 according to the 
present embodiment. The network administration apparatus 10 includes a VLAN information 
database 100 that stores a MAC address and a VLAN group of each of one or more network 
devices so as to correspond to each other, a receiving unit 102 that receives from a network 
device a MAC address thereof, a database updating unit 1 04 that stores the MAC address 
received by the receiving unit 102 in the VLAN information database 100, a setting unit 106 
that assigns a desired VLAN group to a network device based on the information stored in the 
VLAN information database 100, and a detecting unit 108 that detects a network device newly 
connected to a network. 

[0059] The detecting unit 1 08 detects the network device newly connected to the network or a 

network device in the network that has just been turned on. The receiving unit 1 02 then 
O receives from the network device detected by the detecting unit 1 08 a MAC address thereof. 

The database updating unit 104 stores the MAC address received by the receiving unit 102 in 
%u the VLAN information database 1 00 in such a manner that the received MAC address 
U corresponds to the VLAN group to which the network device having the received MAC address 

^ is to belong. The setting unit 1 06 then assigns the VLAN group stored in the VLAN information 
s database 1 00 that corresponds to the received MAC address to the network device having the 

Ti received MAC address. 

(p)60] The detecting unit 108 also detects a network device that has been removed from the 
u network or that has been turned off. The database updating unit 1 04 then deletes the MAC 

address of the detected network device from the VLAN information database 100. The setting 
unit 1 06 assigns a default VLAN group to a connection port of an interconnecting device for the 
network device detected by the detecting unit 1 08, i.e., the default VLAN group is assigned to 
network devices which have not been authorized by the network administration apparatus 1 0. 
Further, the setting unit 1 06 may assign the default VLAN group to a deleted network device 
that has been removed or turned off as described above. Alternatively, the database updating 
unit 104 may delete the MAC address of the network device detected by the detecting unit 108 
from the VLAN information database 100 when a predetermined time period has passed after 
detection that the network device was removed from the network or was turned off. Moreover, 
the VLAN information database 1 00 may store the MAC address of the detected network device 
so as to correspond to the default VLAN group. 
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[0061 ] According to the network administration apparatus 1 0 of the present embodiment, the 

database updating unit 1 04 stores a MAC address of a certain network device received by the 
receiving unit 102 from that network device. Thus, the network administrator can form the MAC 
address-based VLAN easily without registering MAC addresses of network devices in the VLAN 
information database 100 in advance. In addition, in the present embodiment, the network 
administration apparatus 10 deletes the MAC address of the network device that was removed 
from the network or was turned off from the VLAN information database 1 00 and assigns the 
default VLAN group to the network device having the deleted MAC address. Thus, it is possible 
to prevent improper entry to the VLAN. 

[0062] Fig. 3 shows an exemplary data format of a VLAN information file stored in the VLAN 

information database 1 00. The VLAN information file includes a VLAN group field, a user ID 
r| field, a password field and a MAC address field. The VLAN group field stores information for 

;~ specifying a type of a VLAN. The user ID field stores user identifying information that specifies 

III a user of a network device. The password field stores a password used for certifying the user 
|T specified by the user identifying information in the associated user ID field. The MAC address 

^ field stores a MAC address of a network device that is to belong to the VLAN group specified by 
; , the associated VLAN group field. 

J|fc)63] The user identifying information and the password that are to be stored in the user ID field 
4* and the password field, respectively, are registered by the user of the network device or the 
2 network administrator in advance. The MAC address received by the receiving unit 1 02 (see Fig. 
2) from the network device through the network is stored in the MAC address field. The user of 
the network device logs in the network administration apparatus 10 by means of the network 
device and inputs the user ID and password. The database updating unit 104 of the network 
administration apparatus 1 0 stores the MAC address received by the receiving unit 1 02 after 
certifying the user ID and the password that have been input by using the user identifying 
information and the password stored in the user ID field and the password field, respectively. 

[0064] 

In a case of a network device that cannot log in the network administration apparatus 1 0 
through the network to send the user ID and the password to the network administration 
apparatus 1 0, the MAC address of the network device may be registered in advance in the VLAN 
information file in the VLAN information database 1 00 so as to correspond to a desired VLAN 
group. The setting unit 1 06 assigns the VLAN group specified by the VLAN group field to the 
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network device having the MAC address stored in the corresponding MAC address field. 

[0065] According to the network administration apparatus 10 of the present embodiment, it is 
possible to certify the user ID and password input in the network device by using the user ID 
and password registered in advance and to register the MAC address of the network device that 
has been certified- Thus, the administrator can form a MAC address-based VLAN not by 
registering the MAC address, that is typically a complicated character string, in the VLAN 
information database 1 00, but by registering the user ID and the password therein. 

[0066] Fig. 4 is a flowchart of a VLAN setting procedure in the network administration apparatus 
1 0, First, the detecting unit 1 08 detects a network device that has been connected to the 
network or has just been turned on (SI 00). More specifically, the detecting unit 108 receives 
information of a connection port of an interconnecting device based on linkup trap from the 

yS interconnecting device so as to detect the network device newly connected to the network or 
that has just been turned on. 

$K r. 

|C|p67] In a case where a MAC address of a network device is added to the information of the 

connection port of the interconnecting device, the interconnecting device may send the added 
a MAC address to the network administration apparatus 1 0. in this case, the detecting unit 1 08 

J* detects the network device newly connected to the network or turned on by receiving the MAC 

fll address from the interconnecting device. 

E©b68] The network device newly connected to the network or newly turned on is set to belong to 
the default VLAN group since the default VLAN group is assigned to the connection port of the 
interconnecting device that is not performing communication, and then performs 
communication with the network administration apparatus 1 0 that belongs to the default VLAN 
group. Then, the receiving unit 102 of the network administration apparatus 10 receives the 
MAC address of the network device to which the default VLAN group is assigned and has been 
detected by the detecting unit 108 therefrom (SI 02). 

[0069] 

The database updating unit 104 then refers to the VLAN information database 100 (SI 04), 
and determines whether or not the MAC address received by the receiving unit 1 02 is stored in 
the VLAN information database 1 00 (SI 06). in a case where the database updating unit 1 04 
determines that the received MAC address is stored in the VLAN information database 100 in 
Step SI 06, the setting unit 1 06 changes the VLAN setting of the network device that belongs to 
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the default VLAN group so as to belong to the other VLAN group that is stored in the VLAN 
information database 100 to correspond to the MAC address received by the receiving unit 102 
(S116). 

[0070] In another case where the database updating unit 104 does not determine that the MAC 
address received by the receiving unit 102 is stored in the VLAN information database 1 00 in 
Step SI 06, the receiving unit 1 02 receives, from the network device belonging to the default 
VLAN group, the user ID and the password thereof (SI 08). The database updating unit 104 then 
refers to the VLAN information database 1 00 (SI 1 0), and certifies the user ID and the password 
received by the receiving unit 102 (SI 12). When the user ID and the password are not certified 
in Step SI 1 2, the setting unit 1 06 does not change the VLAN setting of the network device that 
belongs to the default VLAN group. 

(§071] When the user ID and the password have been successfully certified in Step SI 1 2, the 
fj. database updating unit 1 04 then stores the MAC address received by the receiving unit 1 02 in 
tl! the VLAN information database 1 00 in such a manner that the received MAC address 
l2 corresponds to the user ID and the password both received by the receiving unit 1 02 (SI 14). 
M The setting unit 1 06 then changes the VLAN setting of the network device that belongs to the 

q default VLAN group so as to make that network device belong to the VLAN group stored in the 
2\ VLAN information database 100 to correspond to the user ID and the password received by the 

£ receiving unit 1 02 (SI 1 6). 

10072] Fig. 5 is a flowchart of a procedure for assigning the default VLAN group to a network 
device in the network administration apparatus 10. First, the detecting unit 108 detects the 
network device that has been removed from the network or has been turned off (S200). More 
specifically, the detecting unit 108 receives information of the connection port of the 
interconnecting device based on linkDown trap from the interconnecting device, so as to detect 
the network device removed from the network or turned off. 

[0073] In a case where a MAC address of a network device is deleted from the information of the 
connection port of the interconnecting device, the interconnecting device may send the deleted 
MAC address to the network administration apparatus 10. The detecting unit 108 then detects 
the network device removed from the network or turned off by receiving the MAC address from 
the interconnecting unit. 
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[0074] Then, the receiving unit 102 receives, from the interconnecting device to which network 
device detected by the detecting unit 108 is connected, the MAC address thereof (S202). In a 
case where a predetermined time period has passed after the communication from the network 
device having the MAC address received by the receiving unit 102 was stopped (S204), the 
database updating unit 104 deletes the received MAC address from the VLAN information 
database 1 00 (S206). The setting unit 1 06 then assigns the default VLAN group to the 
connection port of the interconnecting device for the network device detected by the detecting 
unit 108 (S208). 

[0075] In an alternative embodiment, an effective time period in which each network device can 

perform communication in the VLAN may be determined in advance, and the database updating 
unit 1 04 may delete from the VLAN information database 1 00 the MAC address of the network 
o device for which the predetermined effective time period has passed. Moreover, in response to 
5 a deletion request from the user of the network device, the network administrator may delete 
jU* the MAC address of the network device for which the deletion request has been issued from the 
l2 VLAN information database 100. 

f®)76] According to the present embodiment, the network administration apparatus 1 00 certifies 
f% the user of the network device and registers the MAC address of the network device of the 

21 certified user in the VLAN information database 1 00. Thus, a high-security MAC address-based 
J;;: VLAN can be formed. Moreover, it is possible to prevent an improper user from entering the 

VLAN by deleting the MAC address of the network device that is not performing communication 
from the VLAN information database 100 and assigning the default VLAN group to the 
connection port of the interconnecting device that is not performing communication. 

[0077] Fig. 6 shows an exemplary hardware structure of the network administration apparatus 1 0. 
The network administration apparatus 10 includes a CPU 700, a ROM 702, a RAM 704, a 
communication interface 706, a hard disk drive 708, a database interface 710, a floppy disk 
drive 712 and a CD-ROM drive 714. The CPU 700 operates based on at least one program 
stored in the ROM 702 and RAM 704. The communication interface 706 allows the 
communication with the network administration apparatus through the network. The database 
interface 71 0 writes data into a database and updates the contents of the database. The hard 
disk drive 708, that is an example of a storage device, stores setting information and the 
program for the operation of the CPU 700. 
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[0078] The floppy disk drive 71 2 reads data or a program from a floppy disk 720 to provide the 
read data or program to the CPU 700. The CD-ROM drive 714 reads data or a program from a 
CD-ROM 722 to provide the read data or program to the CPU 700. The communication 
interface 706 can be connected to the network administration apparatus so as to perform data 
transmission and data receiving. The database interface 710 can be connected to a database 
724 so as to perform data transmission and data receiving. 

[0079] Software executed by the CPU 700 is provided to a user while being stored in a recording 
medium such as the floppy disk 720 or the CD-ROM 722. The software stored in the recording 
medium may be compressed or not-compressed. The software is installed from the recording 
medium into the hard disk drive 708, and is then read into the RAM 704 so that the CPU 700 
executes the software. 

S3 

[©080] The software provided while being stored in the recording medium, that is the software to 
z! be installed into the hard disk drive 708, functionally includes a receiving module, a detecting 
ft! module, a storing module, a database-updating module, and a setting module. Operations that 

12 are to be executed by the CPU 700 in accordance with instructions of the respective module to 
M the computer are the same as the functions and operations of the corresponding components 
O in the network administration apparatus 10 of the present embodiment, respectively, and 

2: therefore the description thereof is omitted. 

IPpSl ] A part or all of the functions and operations of the network administration apparatus 1 0 
^ according to the embodiment described in the present application can be stored in the floppy 
disk 720 or the CD-ROM 722 shown in Fig. 6 as an example of the recording medium. 

[0082] These programs may be read directly into the RAM from the recording medium, or read into 
the RAM after being installed into the hard disk drive from the recording medium. Moreover, 
the above-mentioned programs may be stored in a single recording medium or a plurality of 
recording media. Furthermore, the programs may be stored while being encoded. 

[0083] 

As the recording medium, other than the floppy disk and the CD-ROM, an optical recording 
medium such as a DVD or a PD, a magneto-optical recording medium such as an MD, a tape- 
like medium, a magnetic recording medium, or a semiconductor memory such as an IC card or 
a miniature card can be used. Moreover, a storage device such as a hard disk or a RAM provided 
in a server system connected to an exclusive communication network or the Internet may be 
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used as the recording medium, so that the program can be provided to the network 
administration apparatus 1 0 through the communication network or the Internet. Such a 
recording medium is used only for manufacturing the network administration apparatus 10 and 
it is therefore apparent that manufacturing or selling such a recording medium as business can 
constitute infringement of the right based on the present application. 

[0084] As is apparent from the above, according to the present invention, a network administration 
apparatus, a network administrating program, a network administrating method and a 
computer network system that allow a high-security MAC address-based VLAN to be formed in 
which the VLAN setting can be performed efficiently without setting the MAC address by the 
network administrator. 

[0085] Although the present invention has been described by way of exemplary embodiments, it 
7q should be understood that those skilled in the art might make many changes and substitutions 
#1 without departing from the spirit and the scope of the present invention which is defined only 
f|| by the appended claims. 
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